See $URL and bug 235770.
All in-tree versions (1.2.7-r1, 1.2.8, 1.2.9) only install scripts which either use mktemp properly or place temporary files in a pre-created directory which is owned by the super user.
The user may change this path using the --tmpdir option in some cases, but even in that case rkhunter warns about it if the user tries to use /tmp.
Debian ships a newer version of this package, so we should be careful when bumping.
Currently not affected
Might be affected in the future if new versions of rkhunter find their way into the tree.
BTW: Several scripts in the tarball look like they are vulnerable to temporary file issues, but we don't install those.